npm audit returns error code E400 when dependency has empty string instead of version number

cli
security
priority:low
triaged

(Fulvio Casali) #1

What I Wanted to Do

I wanted to run npm audit and get some helpful information on what packages I need to upgrade. I narrowed it town to the simplest possible test case to reproduce the issue, which is just a bare package.json with a single dependency that has no version specified.

What Happened Instead

I always got an ERR! 400 Bad Request - POST https://registry.npmjs.org/-/npm/v1/security/audits

Reproduction Steps

mkdir temp
cd temp
npm init

Accept all defaults.
Then edit package.json and add the following:

"dependencies": {
    "almond": ""
}

Finally, run:

npm i
npm audit

Result:

npm ERR! code E400                                                                                                                                                                   
npm ERR! 400 Bad Request - POST https://registry.npmjs.org/-/npm/v1/security/audits                                                                                                  
                                                                                                                                                                                 
npm ERR! A complete log of this run can be found in:                                                                                                                                 
npm ERR!     /home/me/.npm/_logs/2018-09-08T03_58_13_333Z-debug.log                                                                                                              

Details

This is the full package.json file:

{                                                                                                                                                                                    
  "name": "audite400",                                                                                                                                                               
  "version": "1.0.0",                                                                                                                                                                
  "description": "",                                                                                                                                                                 
  "main": "index.js",                                                                                                                                                                
  "scripts": {                                                                                                                                                                       
    "test": "echo \"Error: no test specified\" && exit 1"                                                                                                                            
  },                                                                                                                                                                                 
  "author": "",                                                                                                                                                                      
  "license": "ISC",                                                                                                                                                                  
  "dependencies": {                                                                                                                                                                  
    "almond": ""                                                                                                                                                                     
  }                                                                                                                                                                                  
} 

It doesn’t matter which dependency you use instead of almond.

Here is npm-debug.log:

0 info it worked if it ends with ok                                                                                                                                              
1 verbose cli [ '/home/me/.nvm/versions/node/v8.11.4/bin/node',                                                                                                                  
1 verbose cli   '/home/me/.nvm/versions/node/v8.11.4/bin/npm',                                                                                                                   
1 verbose cli   'audit' ]                                                                                                                                                        
2 info using npm@6.4.1                                                                                                                                                           
3 info using node@v8.11.4                                                                                                                                                        
4 verbose npm-session 8cdfcf533c528420                                                                                                                                           
5 timing audit compress Completed in 3ms                                                                                                                                         
6 info audit Submitting payload of 2869 bytes                                                                                                                                    
7 http fetch POST 400 https://registry.npmjs.org/-/npm/v1/security/audits 440ms                                                                                                  
8 verbose stack Error: 400 Bad Request - POST https://registry.npmjs.org/-/npm/v1/security/audits                                                                                
8 verbose stack     at res.buffer.catch.then.body (/home/me/.nvm/versions/node/v8.11.4/lib/node_modules/npm/node_modules/npm-registry-fetch/check-response.js:94:15)             
8 verbose stack     at <anonymous>                                                                                                                                               
8 verbose stack     at process._tickCallback (internal/process/next_tick.js:188:7)                                                                                               
9 verbose statusCode 400                                                                                                                                                         
10 verbose cwd /home/me/temp2                                                                                                                                              
11 verbose Linux 4.4.132-14168-gf0bafd65338d                                                                                                                                     
12 verbose argv "/home/me/.nvm/versions/node/v8.11.4/bin/node" "/home/me/.nvm/versions/node/v8.11.4/bin/npm" "audit"                                                             
13 verbose node v8.11.4                                                                                                                                                          
14 verbose npm  v6.4.1                                                                                                                                                           
15 error code E400                                                                                                                                                               
16 error 400 Bad Request - POST https://registry.npmjs.org/-/npm/v1/security/audits                                                                                              
17 verbose exit [ 1, true ]                                                                                                                                                      

Platform Info

$ npm --versions
    { audite400: '1.0.0',                                                                                                                                                            
      npm: '6.4.1',                                                                                                                                                                  
      ares: '1.10.1-DEV',                                                                                                                                                            
      cldr: '32.0',                                                                                                                                                                  
      http_parser: '2.8.0',                                                                                                                                                          
      icu: '60.1',                                                                                                                                                                   
      modules: '57',                                                                                                                                                                 
      napi: '3',                                                                                                                                                                     
      nghttp2: '1.32.0',                                                                                                                                                             
      node: '8.11.4',                                                                                                                                                                
      openssl: '1.0.2p',                                                                                                                                                             
      tz: '2017c',                                                                                                                                                                   
      unicode: '10.0',                                                                                                                                                               
      uv: '1.19.1',                                                                                                                                                                  
      v8: '6.2.414.54',                                                                                                                                                              
      zlib: '1.2.11' }                                                                                                                                                               

$ node -p process.platform
linux


(Kat Marchán) #2

This is related to npm audit returns 400 from registry when non-registry packages satisfy specs that exist in the registry, but I don’t think strictly a duplicate. /cc @nlf